H-ISAC TLP White Vulnerability Bulletins: AMI MegaRAC BMC&C Vulnerabilities – December 5, 2022

Summary:

Eclypsium Research has discovered and reported 3 vulnerabilities in American Megatrends, Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software. Eclypsium is referring to the vulnerabilities collectively as BMC&C.

Health-ISAC is distributing the following vulnerability bulletin in coordination with Eclypsium to create situational awareness surrounding the vulnerabilities in American Megatrends. All members are encouraged to visit the original blog post Supply Chain Vulnerabilities Put Server Ecosystem at Risk.

Eclypsium Blog Post: MegaRAC BMC is widely used by many leading server manufacturers to provide “lights-out” management capabilities for their server products. Server manufacturers that are known to have used MegaRAC BMC include but are not limited to the following:

• AMD
• Ampere Computing
• ASRock
• Asus
• ARM
• Dell EMC
• Gigabyte
• Hewlett-Packard Enterprise
• Huawei
• Inspur
• Lenovo
• Nvidia
• Qualcomm
• Quanta
• Tyan

The BMC&C vulnerabilities range in severity from Medium to Critical, including remote code execution and unauthorized device access with superuser permissions. The vulnerabilities can be exploited by remote attackers having access to remote management interfaces (Redfish, IPMI). Redfish is the successor to traditional IPMI and provides an API standard for the management of a server's infrastructure and other infrastructure supporting modern data centers. Redfish is supported by virtually all major server and infrastructure vendors, as well as the OpenBMC firmware project.